7 May 20:07
Re: Header sanitization
From: Brian Rectanus <Brian.Rectanus <at> breach.com>
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-07 18:07:46 GMT
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-07 18:07:46 GMT
If you just want to log the username in the audit log, then you should
be able to use setuid action for this.
EX:
SecAction "pass,nolog,setuid:%{REMOTE_USER}"
OR, if you want it for all, not just authenticated:
SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
"phase:1,t:none,t:base64Decode,setuid:%{tx.1}"
And in the audit log you should have the following in part 'H'
WebApp-Info: "WebAppName" "SessionId" "UserName"
-B
Nick Gearls wrote:
> I found a possible solution.
> If we write a filter to strip the password, then we could
> 1. map the "base64(user:pwd)"
> 2. decode64 it, strip pwd, and map it again
> 3. print TX.1 in log
>
>
> Questions:
>
> 1. Any generic function to strip things after the colon ?
> If not, we could write a generic sub plug-in.
>
> 2. This works on rules checking the Authorization header.
> Any way to add this for all log entries ?
>
> Thanks,
>
> Nick
>
>
> Nick Gearls wrote:
>> Hello,
>>
>> For obvious privacy reasons, it is advisable to sanitize the header
>> "Authorization" in the log.
>> However, it may be handy to have the userid part of it in case of an
>> error trap.
>> Any possibility ?
>>
>> Thanks,
>>
>> Nick
>>
>>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
--
--
Brian Rectanus
Breach Security
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed